Back to skill

Security audit

交付文档

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-template skill that may save or publish generated project documents, but its behavior is disclosed and aligned with its purpose.

Before installing, be aware that this skill is designed to create local Markdown files and may use connected collaboration or project-management tools. Review generated documents for confidential client, deployment, access, or account information before saving or publishing them externally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Low
Confidence
91% confidence
Finding
The skill instructs that all generated documents should be saved as files, but it does not tell the user that local data will be written or ask for confirmation before persistence. This can lead to unintended storage of sensitive project, customer, or deployment information on the local system, especially when users expect only an inline draft.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill proposes publishing documents to Notion/Feishu and pulling project status from Linear/Jira without any privacy notice, scope limitation, or confirmation step. That creates a real risk of sharing sensitive client content or ingesting external project data into the document flow without the user clearly authorizing what systems will be accessed and what data will be transmitted.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.